Potential Sudo Privilege Escalation via CVE-2019-14287

 1[metadata]
 2creation_date = "2023/08/30"
 3integration = ["endpoint"]
 4maturity = "production"
 5min_stack_comments = "New fields added: required_fields, related_integrations, setup"
 6min_stack_version = "8.3.0"
 7updated_date = "2023/08/30"
 8
 9[rule]
10author = ["Elastic"]
11description = """
12This rule monitors for the execution of a suspicious sudo command that is leveraged in CVE-2019-14287 to escalate 
13privileges to root. Sudo does not verify the presence of the designated user ID and proceeds to execute using a user ID
14that can be chosen arbitrarily. By using the sudo privileges, the command "sudo -u#-1" translates to an ID of 0, 
15representing the root user. This exploit may work for sudo versions prior to v1.28.
16"""
17from = "now-9m"
18index = ["logs-endpoint.events.*"]
19language = "eql"
20license = "Elastic License v2"
21name = "Potential Sudo Privilege Escalation via CVE-2019-14287"
22references = ["https://www.exploit-db.com/exploits/47502"]
23risk_score = 47
24rule_id = "8af5b42f-8d74-48c8-a8d0-6d14b4197288"
25severity = "medium"
26tags = ["Domain: Endpoint", "OS: Linux", "Use Case: Threat Detection", "Tactic: Privilege Escalation", "Data Source: Elastic Defend", "Use Case: Vulnerability"]
27timestamp_override = "event.ingested"
28type = "eql"
29query = '''
30process where host.os.type == "linux" and event.action == "exec" and event.type == "start" and 
31process.name == "sudo" and process.args == "-u#-1"
32'''
33
34[[rule.threat]]
35framework = "MITRE ATT&CK"
36
37[[rule.threat.technique]]
38id = "T1068"
39name = "Exploitation for Privilege Escalation"
40reference = "https://attack.mitre.org/techniques/T1068/"
41
42[rule.threat.tactic]
43id = "TA0004"
44name = "Privilege Escalation"
45reference = "https://attack.mitre.org/tactics/TA0004/"